CVE-2022-23549

MEDIUM6.5EPSS 0.33%

Discourse vulnerable to bypass of post max_length using HTML comments

Published: 3/6/2024Modified: 10/14/2025

Description

Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.

Affected packages (1)

Bitnami/discoursefrom 0, < 2.8.14

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References (3)

WEBhttps://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8
WEBhttps://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp
WEBhttps://nvd.nist.gov/vuln/detail/CVE-2022-23549